Posted
by
BeauHDon Monday September 11, 2017 @08:25PM
from the plan-of-action dept.

After deciding to distrust Symantec's certificates in March, Google has decided to release a more detailed plan for how that process will go. Tom's Hardware reports: Starting with Chrome 66 (we're now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out. Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66. After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome. By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued. Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google's Chrome browser.

Regardless of what Google does or doesn't do correctly regarding their own certs, Symantec has nobody to blame but themselves for this one. They deserve what they're getting because they played fast and loose with the rules to make a buck.

I think it's about high time we actively start working around Google.Sure they used to be cool, like 20 years ago. Now they're just a powerhungy privacy eating machine and very far from doing "no evil"; they need to go.

What work around? What company or service can you use to get the information or level of service you can by using Google products? If a new privacy centric company came out and took over the world they would become Google. With all of the same privacy concerns. Even a company you started and ran. Every single person on this planet would at some point make the exact same decisions Google has along the way. Unless you never get to this size and only stay a tiny fraction of a percent of the market. Then and only then will a company care about privacy. You sacrifice privacy in the name of convenience. Without convenience you can still have privacy. With convenience comes a lack of privacy. The more convenient our lives become the less privacy there will be. In 100 years even someone like yourself or the most private paranoid person will have ZERO privacy. The only people to have privacy then will be those using NO technology of anysort. So pretty much only the few Amish who remain alive in 100 years.

We use Microsoft's equivalents because, when it came to negotiating the license, the Google approach was take it or leave it, whereas MS worked with our IT folk to put together a contract that didn't violate any NDAs or regulatory requirements for data integrity that different departments had. The Google license was basically incompatible with any organisation that has any legal data protection requirements.

Nope, just the Office 365 stuff (and their associated cloud file store thingy). I don't use it personally (except to get the bundled version of PowerPoint, because DARPA does so love PowerPoint slide decks), but it's popular in some other departments. My understanding is that the Android and iOS versions of Office give you a fairly seamless transition from their Windows Phone equivalents: just log in with the credentials and all of your files is available. We don't use their mail system, because our mail

And Google has always been an advertising company with cool technology. Every single move Google makes is targeted towards increasing their ad revenue.

The only thing I take issue with there is "with cool technology". I've been forced to use their stuff. It only seems cool until you actually use it. Then the warts, boils and turds come out in force. It's almost as bad as MS tech, maybe worse these days.

I was working on the computer a few nights ago, I booted it up, and started my browser. Up pops a screen, that tells me that Symantec and Arris have entered into a partnership to keep me safe from Malware.

Hmm, that's odd. I do my own security, and it works pretty well. And I want nothing to do with Symantec.

I try opening a few other web pages in safari and then Firefox. Same thing happens.

Crap - I think I've been nailed. Well, I have a good backup system. It will be a PITA, but whatever.

So before I did that, I went back and looked at the browser hijack page. I click on the "why am I seeing this?" link. I get a certificate not valid. Shit. I click on the Terms of service link. Same thing. I try a few more random pages. Nothing works. And when you can't read the terms of service, something is really wrong. So I start to re-image the machine. This will take most of my evening away.

I call Arris to tell them of the problem. And they tell me that this is a new feature they are rolling out to select customers.

A few seconds while I absorb this. Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now! I told them their "service" presents as a browser hijack, I did not and would not sign any terms that I didn't accept when I bought the router, and if it wasn't gone immediately, I would box up the router, and return it to where I bought it, with a full explanation and review of the problem. So they then had to work with Symantec to kill what they had done.

Sorry Symantec, take your browser hijack which won't let me access any websites unless I agree to terms that I cannot see, and bend over, and shove it up your anus as far as you can, using a pincone, then a baseball bat, and after that, a dildo covered with sandpaper.

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

It's commonplace in other parts of the world, China, India, Philippines, etc. They'll not only inject ads into your browsing session, but on mobile they'll put one of those Apple-style floating circles in the corner, to "help" you.

ISPs have been screwing to HTTP for over a decade around here. When I have issues the first thing I check is if I'm not connected to my VPN for some reason, and if I get the same result on a mobile connection. I've never had to go beyond checking those two so far.

Seeing browser hijack and concluding your machine was pwned isn't unreasonable. Injection by ISP is such sacrilege that it isn't something most techies would check as the first step.

Exactly. https://en.wikipedia.org/wiki/... [wikipedia.org] It is not unusual for a hijack to also install a keylogger, so at the time, this happened, I wasn't for certain that I wasn't totally pwned. Seriously unethical, and regardless, I had no internet access unless I either called Arris and got the shit turned off, or clicky clicky on a mysterious link that would install or do gawd knows what.

What is a little surprising is self acknowledged experts who seem to think otherwise. I personally am interested in their mo

If you didn't install or change any software yourself, yes, troubleshooting as a DNS issue would be first priority.
Wouldn't you want to find out how the mysterious infection occurred before reimaging and having it reinfected?
Seriously, this was poor troubleshooting.
Do you freak out the first time signing into a hotel hotspot with walled garden redirect? If not, you're smarter than OP.

Much like Google removed its "Don't be Evil" motto when they rebranded into Alphabet, Slashdot removed the "News for Nerds" motto some years ago. Now it's just a property of dice.com or whoever the hell owns it now.

You can see on the front page, comments barely go into triple digits any more. Slashdot is a shell, and I don't know why I keep coming here. Habits are hard to break.

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

As a security guy, I have found nearly all software designers, architects, "engineers", CS professionals, whatever they wish to call themselves to be little better than a gadget enthusiast when it comes to security. They are taught an attitude by many and reinforced by each other that knowing one level or area of information technology makes them competent at every aspect. It's like a physicist believing they are just as good as a chemist at chemistry because it's all physics in the end anyway.

They are wrong. That's why an average system needs dozens of weekly patches. That's why modern software still falls victim to the same old exploits. That is why my field exists.

So I should probably give thanks for security incompetence to be the norm among even the most veteran programmers.

Okay, since all of the experts here on Slashdot are pillorying my for my stupidity, now that I have a security professional, I'd like a security professional's answer.

You are sitting at a computer that has been functioning properly for a long time. Typical security procedures, an anti-virus, regular updates, firewall both on the computer and on the router.

Now, instead of any internet access, when you open a browser, you get one screen only. An announcement that the router you are using's manufacturer a

This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."

WTF, this is supposed to be a site for nerds. It says so right there at the top.

Oh, dear, I'm getting a lecture. Lookie fellow, this transpired over time, and it was rather shocking that even McAffee, who don't have a lot of ethics to begin with, would hijack a browser.

I'd have to first Know that McAffee and Arris had entered into this unholy matrimony, Then I'd have to not be suspicious of of links that gave me 1, bad certificates ( perhaps you as a self acknowledged genius like bad certificates) and the other link for the TOS, didn't show me anything.

How did you conclude it's the ISP? If Symantec and Arris enter into a partnership it's even possible you got bum router firmware from Arris.

In a world where every device can be updated automatically at any time, any device can be updated at any time.

But thanks for the correction.

It wasn't the ISP. It was Arris and Symantec. But that was only confirmed by contacting Arris, and later Symantec.

I wonder if slashdotters think that any webpage they go to is legit. If so, it brings some understanding to the number of security breaches like Equifax et al. Security like that is hard to find. Or not.

10 minutes? My laptop's SSD can manage 300MB/s sustained writes on a good day. Ten minutes is enough to write 175GB. The drive is 1TB and about 900GB is used. Assuming that I had the data in a form that I could just stream to the disk without the FS getting in the way, it would take around 50 minutes, and that's assuming that the SSD could actually sustain that write speed for that long (it can't). Either your system disk and your backups are NVMe, or you don't have much data on your computer...

You called Arris? Arris doesn't do MITM, they do hardware. Your ISP does MITM. Time Warner (now Spectrum), Cox, Xfinity, or whatever, is your ISP. That's who you call. Also, Arris is in bed with McAfee, not Symantec. Are you using your ISPs DNS servers on your router? STOP DOING THAT IMMEDIATELY! Use OpenDNS, or Comodo, or Level3, or anything else! If you still see anything off, use a VPN.

Tell me, if you lost internet access, and the only way you could get it back was to click on the only webpage that showed up, would you without hesitation, click on that link? You either have no access, call the people who are presumably the ones who did this to you, or click the link.

If you answer anything other than you contact the people responsible, you have absolutely no place telling me I know nothing, and frankly, you need to stick to surfing shemal

I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.

I'd use check my router IP settings and then use ping and traceroute to start with, just to see what's going on. If you think not having access to the world wide web is the same as losing internet access you really should stick to something less technical.

So anyhow, you would not have engaged in communications with the people who claimed to have enabled this? Elucidate, and instead of being a slashdot genius, tell me why I should not have.

You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

It's cool if you don't want to know how the stuff you use works, I bet almost no one knows how all the stuff they use works, there is a lot of technology in use today. But this is supposed to be a technical site; different standards. And no, I would not have called Arris, but then I don't

You asked the router manufacturer (Arris) to "remove the Symantec from your computer", and then you reimage your PC when someone tries to MitM you? If that actually makes sense to you then I stand by everything I've said.

No, actually I did not. say tha. You might think that you are smarter than me in all ways, but what I wrote, and which for some unknown reason you lied about is:

"Then I tell them that anything that has anything to do with Symantec must be removed from my computer, and removed now!

That is cut and pasted from my post. You can put that in quotes. Not what you did. Because what you put in quotes was untrue.

An unreasonable request? I did not know at the time if "anything" that had anything to do with Sy

Yes, it's unreasonable to ask a router OEM to alter the configuration of your PC unless you have some sort of contract with them.

My first suspicion given the very limited info you have provided is that your browser traffic was being routed through some sort of sandboxing and/or deep inspection proxy, but I can't be sure without actually having a look. The agency being used to implement that redirection could be many places but most likely it's so

Their lets-just-copy-whatever-chrome-does -management team goes to Hawaii for some strategy meetings that take a week and concludes that while they do not understand why chrome did some change, they will copy that change anyway.

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).

When an introducer is sort of trusted, and sort of not, it should be entered that way and han

They survived because for a large number of people trust isn't supreme: they are liars, they lie to themselves and to others, and when liars discover that a company they use has lied, well, deep down they know it's not that bad. They like their Volkswagen, nay love their Volkswagen, and so internal logic concludes it's not worth changing car companies over some lie that hardly affected them. For these people, and to an extent all people, trust is set r

When it comes to car companies, why did you single out Volkswagen? They weren't the only one to cheat on the tests, most of the companies have been found to have done so since then. They were just the first one discovered. Or were you thinking of something else.

With cars, I would have picked Ford for the "Ford firebomb" otherwise known as the Pinto.

Many businesses have only one feature to support their business model: TRUST. Symantec is one. Equifax another. All the financial firms: Merrill Lynch, Wells Fargo, B of A... Some manufacturers: Volkswagen, Gerber baby products, Mylan pharmaceuticals... Many of these and more have disgraced themselves at some time and somehow survived; the others are forgotten.

They may have many products & services, or only a few, but without TRUST they have nothing.

I think just about every single company you've listed proves your point wrong - we have seen time and time again that companies who lose the trust of their userbase still manage to stay in business, sometimes even thrive.

Companies have proven in practice that without TRUST it'll still be business as usual.

Initially someone pointed out that they were just signing a bunch of test domains that were actually registered but both internal and external audits eventually found that they had delegated signing through cross-certificates to various banks and telecom agencies and ~30,000 certs were being issued by these "Regional Authorities" including google.com and various of it's subdomains.

Symantec has proven to not be trustworthy, initially it appeared to whitelist NSA malware, now we see that it's just giving away signing authority to international agencies and governments.

By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

Waiting a year is bullshit. All Symantec certs should be distrusted effective November 1 of this year, not next year. If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

While agree that Symantec should be taken behind a shed and shot right away, if we do it this way ricochet will hurt a lot of innocent businesses that have nothing to do with this. Year gives them barely enough time to move out of the way.

A year seems a long time. I'd start by immediately downgrading all EV certs from Symantec to normal certs. Then, a month later, remove the padlock icon entirely and treat them as if they were HTTP. Two months after that, distrust them entirely.

As for those innocent businesses: they were sold a cert by Symantec with 'accepted by all major browsers' in the advertising. They're going to get a full refund (and if they don't, you can bet that the class action suit will hurt Symantec more than giving refun

It would be better to let the customers get hurt I'm afraid. They can sue Symantec for any costs or lost revenue. If it's that critical then Symantec should have had indemnity insurance and the customers should have had insurance.

Don't forget, the consequence of delaying is that innocent people can be victimized with bad Symantec certificates. There is no option that avoids harming anyone.

If you can't get a new cert in 30-45 days you don't really give a shit and your website shouldn't be trusted.

You're talking from the perspective of a company where the website is an active and maintained part of their strategy. There are many for which a website is nothing more than a tool, many small shops with small online shopping carts, completely 3rd party outsourced IT where this will do no more than cause them additional expense assuming they are aware of the issue at all before the entire site goes down the red warning hole.

They should have done this much faster. Once they decided there was a problem, tell people they have 90 days to get a new certificate. What's the big deal? For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

There was no reason to give Verisign enough time to salvage their business and sell it off instead of just killing them the way they should have been.

This had *nothing* to do with being kind to Symantec and the old Verisign business, it's all to do with giving users a chance to update their environment before everything breaks.

If an untrusted cert breaks things, then the user's browser is defective.

It should work, but the UI should indicate that it's not totally sure who the user is connected to. That's ok to do, because it's true. (An untrusted cert should never, ever have any negative consequences or keep things from working if the user so chooses; it

Symantec doesn't do free certs, so no one is likely to be using them for non-commercial sites where Let's Encrypt would be appropriate. Most of their business is in the form of EV Certs [wikipedia.org]. The process of applying for an EV certificate can take several weeks, once you've picked the replacement provider, because there are several round trips of paperwork. 90 days is probably long enough, but it's cutting it a bit fine for a lot of people.

EV certs show that the CA has performed some validation that the certificate is associated with a specific organisation, not just with a domain name. It's how you know that the cert for paypal.com is owned by PayPal Inc. and the domain for paypal.scammer.com is not.

For most purposes, a free one from Let's Encrypt is good enough (it shows up in the browser as trusted--what more do you want?).

Why exactly is Let's Encrypt actually good enough? How is Let's Encrypt any better than StartSSL - which has already had its trust revoked?

Current initiatives of major browser developers such as Mozilla and Google to deprecate unencrypted HTTP are counting on the availability of Let's Encrypt. - Wikipedia [wikipedia.org]

Which is extremely humorous considering that Let's Encrypt requires tcp/80 to be open for ACME (Automated Certificate Management Environment) to verify the initial identity of the host name being requested. By requiring tcp/80 to be open you're doubling the attack surface of something that could have only needed tcp/443.

Let's Encrypt so far hasn't yet gotten their hands caught in the cookie jar and they are infinitely more transparent than most paid cert providers. Certificate providers in general do not put up a public ledger of all certificates it has signed, they barely even verify whether you are the owner of a domain and/or site. LE at least requires valid domain setups and unless you've been rooted (at which all bets are off regardless of your CA) you have to put up a challenge to make sure you can renew and certs ar

On the converse, our company will be dropping Symantec AV in less than a month (which means we will have zero Symantec on our network). No more SEPM server, I really don't like using it. It is a huge PITA.